Business is moving to the cloud… it's just happening far more slowly than anticipated five years ago. Sure, certain aspects of many organizations' setup have embraced the cloud – such as email, office productivity and engineering development – but many older apps and infrastructure won't be migrated any time soon.
This means that most organizations are still inexperienced, developers still expect freedom from organizational processes, and the technology continues to morph rapidly. Understandably, this mix of excitement and anxiety has led to a number of misconceptions. We explode five of the most commonplace.Download ebook
The cloud itself is not inherently unsafe… in fact no more so than a typical data center when used correctly. Indeed, in all the FireEye Mandiant incident responses conducted on public clouds to date, we've uncovered exploitation of configuration or customer code, but never errors in the provider's code or infrastructure implementation.
Are you sure? You'd be challenged to find any modern organization that does not use some kind of web service, whether for banking, web hosting, HR, finance, logistics or many other functions, especially as the term 'cloud' includes software as a service.
Under the shared responsibility model, the customer is the ultimate custodian of its data and as such, is responsible for safeguarding it. Sure, the provider ensures that its facilities are secure, the hardware is not compromised, and the underlying software and operating systems of any services offered are secure. However, it's the customer's responsibility to ensure that virtual machines are patched, apps aren't vulnerable, and credentials are being used legitimately.
Securing the cloud is not like securing a computer in someone else's data center. There are storage services, containers and other non-traditional services to consider in addition to more familiar virtual machines. These services could comprise hundreds or thousands of real servers spread across many data centers, all to fulfill a single service request.
This demands additional visibility and planning to provide security controls and instrumentation around distributed and non-discrete compute offerings. Even though these services may use an API, the concepts of IP addresses and operating systems often don't apply, so security configuration and controls won't use traditional security implementations like firewalls and anti-virus.
Attackers follow data, including when it goes into the cloud. Around 20% of Mandiant incident response engagements involves assets housed on a public cloud, and almost every one we perform involves public cloud in some way. The cloud does not hinder threat actors – they easily adapt their TTPs to compromise cloud accounts to access confidential data, steal computing resources and spy on targets.
Anything of value you put in the cloud will be a target, and needs protecting accordingly. This means both implementing cloud security basic best practice, and also having the SOC ready to actively hunt down advanced attackers that pursue your data into the cloud.